Labour have gone all in on their attacks on me and my alleged puppet masters in National. They forgot though that Trevor Mallard mounted a months worth of attacks on me for being in the pocket of Don Brash and ACT. So it is clear they are not “on message” as they say in the beltway.
After I posted my video that showed how easy it was to obtain data from their wide open site the IT community unanimously delivered their verdict that Labour and no one else was to blame for their woeful breach of people’s privacy.
Commenters at Kiwiblog and other sites quickly realised what I did long ago and that was that Google and other bots had archived Labour’s open site extensively. All their data is still in the cache and will be for quite some time.
Doing a simple cache search of the root domain with the word “password” added shows just how bad their security was.
The problem however was much worse than that. Way worse. Remember that Chris Flatt the Labour General Secretary sent out a letter and email to their donors assuring them that their credit card details were safe. He shouldn’t have been too hasty with that assurance.
In the MySQL database files there were also plain txt strings that contained other database passwords along with the user name and passwords of their credit card provider.
$db_url = ‘mysqli://labour_admin:N0t3b00kC0r0n3t@localhost/labour_production’;
which equates to $db_url = ‘mysqli://username:password@localhost/databasename’;
Their credit card provider admin details were:
This shows the appalling lack of security not only for the donor and membership details but also with regard to usernames and passwords for other secure areas.
I never accessed those areas, to do so would have been illegal. But given that their systems were open and exposed long enough that Google and 9 other bots were able to cache the entire directory system there is a good chance that Russian or Nigerian scamsters also were able to obtain access to the database and credit card processing passswords that Labour left exposed. Chris Flatt cannot give any assurances that their donor details including credit cards were safe and secure.
I know that Labour have been warned about the details of this post so presumably their IT muppets have now changed these details.
On a final note regarding Labour’s woeful use of technology I note that John Pagani and the muppets at The Standard have been relying on ip address information. I am assuming that this information was provided by the same IT muppets that secured their site so well. Probably not really that useful then is it?
Heads really do have to roll. Pity Labour will as usual pick on some low level worker and rinse them instead of taking out the ones really responsible like Phil Goff, or Andrew Little or Chris Flatt or Moira Coatsworth. Their lacklustre leadership is what has led to this balls up not some poor IT worker doing his best with the pitiful resources their leadership have procured through their lack of donations. A properly performing political party can fund things like this appropriately, labour are clearly broken-arsed and getting poorer.